Re: [keycloak-dev] Avoid older user agents?

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Gabriel Cardoso" <gcardoso(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 6 August, 2013 5:04:39 PM > Subject: Re: [keycloak-dev] Avoid older user agents? > > For SSO login, we should support as old as possible (no javascript, > backward compatible to HTML 4? 3? 2? I don't know you tell me....). HTML4 transitional is fine, pretty much covers 99.9999% of browsers in use today. We can use JavaScript as long as it's progressive enhancements (for example autofocus or placeholder replacement). The biggest issue is around css/style and testing that it's "pixel perfect", there's several websites out there that can help with this. There may be an official list of browsers Redhat supports, but I would think recent versions of Chrome, Firefox, Safari, Opera (these are all generally updated and there's very few old versions around). For IE6 is announced dead by MS themselves, and IE7 has a relatively low usage, so I would think IE8 is sufficient. That's not to say it won't work with older browsers, it may just look a bit crap. > > For admin UI, we can be more restrictive, IMO. The admin UI, is not > just a UI though. It is a set of REST services that can be called from > javascript (or whatever langage/platform you want). For security > reasons we might want to restrict the types of browsers that can make > these REST requests. I'm wondering if limiting on agent header is false security as it can be easily changed.

Checking user agent before setting HttpOnly is also IMO not necessary as most browsers do (in fact IE does all the way back to 6 and Firefox to 3!). Anyone that still uses a browser that doesn't support it today are using a heavily out of date (and unsupported browser) so it will be riddled with vulnerabilities in any case.